OSCAL Is a Noun, You Bring the Verbs
As I watch the OSCAL community expand, I am excited to see an explosive growth in the quantity and quality of OSCAL-based projects. There are many kinds of people involved in OSCAL projects, and I have the wonderful privilege of talking to these many kinds of people, all in different steps of their OSCAL journey. One theme I hear increasingly often from those who have built expertise in OSCAL and get questions from the uninitiated is: OSCAL is a noun, not a verb, why do people not get that!?
With the first production release of OSCAL 1.0.0 in June 2021, there was an understandable desire and pressure in the last year to meet industry demand and implement solutions that bake in OSCAL goodness. During the last year, many developers, security specialists, and executive security leadership embarked on their OSCAL journey. As OSCAL novices, they internalize their own journey and ask a simple question of everyone around them.
How do I OSCAL?
This question conveys the best of intentions, but is still problematic. Using the word OSCAL as a verb implies it has agency, that OSCAL can inherently do things for you. Symbolically and metaphorically, maybe it can. But practically speaking, OSCAL is not an agent of change. It is simply a medium. You can hope that it is a verb, wishfully believing it is a change agent and absolves us from worthwhile challenge of understanding its concepts and internalizing them into your own security program. But that hope is misplaced.
OSCAL, at its core, is an information model (what data make up a system security plan?) and data models (how do I encode the data that makes up a system security plan in JSON? In XML? In YAML?). By definition, these things are nouns.
So what does this small wording change and mindset afford you? A whole lot! OSCAL, in its information models and data models, is a catalyst for all the different kinds of people in the security industry to empower themselves. OSCAL, as the official documents say today, is data-centric, integrated, extensible, and automated. These tenets represent a central theme: data ownership. So, you need to focus on the actual questions.
What am I doing with OSCAL?
How does my security data and workflows fit with OSCAL?
How do I make OSCAL work for my security program?
OSCAL is a noun, you bring the verbs. And this means you own the data and make it work for you.